Proxying Wayland for security
hi at alyssa.is
Tue Jul 27 19:29:45 UTC 2021
Hi! I'm Alyssa and I'm working on Spectrum, which is a project
aiming to create a compartmentalized desktop Linux system, with high
levels of isolation between applications.
One big issue for us is protecting the system against potentially
malicious Wayland clients. It's important that a compartmentalized
application can't read from the clipboard or take a screenshot of the
whole desktop without user consent. (The latter is possible in
wlroots compositors with wlr-screencopy.)
So an idea I had was to was to write a proxy program that would sit
in front of the compositor, and receive connections from clients. If
a client sent a wl_data_offer::receive, for example, the proxy could
ask for user confirmation before forwarding that to the compositor.
I could just implement this stuff in a compositor, but doing it with a
proxy would mean that a known subset of the protocol could be used
with any compositor, with appropriate access controls. It would also
be a reusable component that could be customised to have different
access control policy depending on the needs of a distributor or user.
Which brings me to the reason I'm bringing this all up on
wayland-devel. I'd be grateful for any input about this idea,
* Is this a sensible idea? Is there something I haven't considered
which would make this unworkable, and force me to do a
compositor-specific implementation instead?
* Is this something that would be likely to be generally useful,
outside of our project? Would it make sense as something to
collaborate on / have as a freedesktop.org project?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 832 bytes
Desc: not available
More information about the wayland-devel